Develop Reference

Start ssh using systemctl inside the docker container

I' m a beginner in the Docker;
I have pulled a CentOS 7 image from Hub and ran it ;
I need to ssh in to the docker container(CentOS 7) from my host.
Got the docker container's IP using docker inspect container-id
I have installed the following using
initscripts
systemd.x86_64
systemd-libs.x86_64
open-ssh
firewalld
net-tools
when i tried to start the firewall to open the port for ssh(22)
[root#a6f3e3eb095c ~]# systemctl start firewall
Failed to get D-Bus connection: Operation not permitted
Also tried,
[root#a6f3e3eb095c ~]# /usr/lib/systemd/systemd --system &
[1] 353
[root#a6f3e3eb095c ~]# systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization xen.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
Set hostname to <a6f3e3eb095c>.
Cannot determine cgroup we are running in: No such file or directory
Failed to allocate manager object: No such file or directory
[1]+ Exit 1 /usr/lib/systemd/systemd --system
How to start the firewall/ssh inside the docker container ?

inside docker container run following commands :
yum update -y glibc-common
yum install -y sudo passwd openssh-server openssh-clients tar screen crontabs strace telnet perl libpcap bc patch ntp dnsmasq unzip pax which
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install -y hiera lsyncd sshpass rng-tools
service sshd start;
sed -i 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config;
sed -i 's/#UsePAM no/UsePAM no/g' /etc/ssh/sshd_config;
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config;
sed -i 's/enabled=0/enabled=1/' /etc/yum.repos.d/CentOS-Base.repo
mkdir -p /root/.ssh/;
rm -f /var/lib/rpm/.rpm.lock;
echo "StrictHostKeyChecking=no" > /root/.ssh/config;
echo "UserKnownHostsFile=/dev/null" >> /root/.ssh/config
echo "root:password" | chpasswd
( or )
Simply you can pull docker image of centos with ssh in docker hub
https://hub.docker.com/search/?isAutomated=0&isOfficial=0&page=1&pullCount=0&q=centos+ssh&starCount=0
https://hub.docker.com/r/kinogmt/centos-ssh/
https://hub.docker.com/r/jdeathe/centos-ssh/

You can avoid the "Failed to get D-Bus connection: Operation not permitted" / aka installing systemd inside a docker by using the https://github.com/gdraheim/docker-systemctl-replacement ... after that the docker-exec stuff should be all fine to do things inside a container.

If you really do need an ssh or sftp container, then you can use my Docker Image as a source image for your own or run it directly:
If using the official CentOS-7 Image and you require systemd, there are instructions on how to enable it under the section "Systemd integration".
However, based on the following:
I need to ssh in to the docker container(CentOS 7) from my host.
You can use docker exec to run commands in a running, (backgrounded), container so, for images that have bash available, you can access an interactive tty and run bash as follows from your host - where container can be either the name or id:
docker exec --tty --interactive <container> bash
OR
docker exec -ti <container> bash
Finally, it's unlikely to be necessary to install the firewall package in your image as the operator will decide what ports to publish from those which are exposed and you can make use of Docker Networking to only expose the necessary public facing services.

If you are using the Docker CLI, then you can get into the Docker container using the following command
docker exec -it containerId bash
I am not sure how to ssh into the docker container, but if you want to do basic operation inside the Docker container, you can make use of the above docker command.

Docker: any way to list open sockets inside a running docker container?

I would like to execute netstat inside a running docker container to see open TCP sockets and their statuses. But, on some of my docker containers, netstat is not available. Is there any way to get open sockets (and their statuses, and which IP addresses they are connected to if any) without using netstat, via some docker API? (BTW, my container uses docker-proxy - that is, not directly bridged)
I guess I could look at /proc file system directly, but at that point, I might as well docker cp netstat into the container and execute it. I was wondering if there was any facility that docker might provide for this.

You can use the nsenter command to run a command on your host inside the network namespace of the Docker container. Just get the PID of your Docker container:
docker inspect -f '{{.State.Pid}}' container_name_or_id
For example, on my system:
$ docker inspect -f '{{.State.Pid}}' c70b53d98466
15652
And once you have the PID, use that as the argument to the target (-t) option of nsenter. For example, to run netstat inside the container network namespace:
$ sudo nsenter -t 15652 -n netstat
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
Notice that this worked even though the container does not have netstat installed:
$ docker exec -it c70b53d98466 netstat
rpc error: code = 13 desc = invalid header field value "oci runtime error: exec failed: container_linux.go:247: starting container process caused \"exec: \\\"netstat\\\": executable file not found in $PATH\"\n"
(nsenter is part of the util-linux package)

The two commands from #larsks answer merged into one-liner - no need to copy-paste the PID(s) (just replace container_name_or_id):
sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat

If you have iproute2 package installed, you can use
sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss
or
sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n ss -ltu
It will show TCP and UDP

If you want them all (all containers) try this.
$ for i in `docker ps -q` ; do sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' $i) -n netstat ; done

I tried the other solutions and it didn't work for me by my colleague gave me this solution. Thought I would mention it here for others like me and for me to refer to later lol.
docker exec -it [container name] bash
grep -v “rem_address” /proc/net/tcp

docker inspect <container_id>
Look for "ExposedPorts" in "Config"

server:docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
80acfa804b59 admirito/gsad:10 "docker-entrypoint.s…" 18 minutes ago Up 10 minutes 80/tcp gvmcontainers_gsad_1

How do i expose the Docker Remote API on Centos 7?

On ubuntu i can go into /etc/init/docker.conf and put in DOCKER_OPTS='-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock' to get the json data to display on my browser but how can i do it for Centos?
I have tried creating a file in /etc/sysconfig/docker and placing other_args="-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock" inside the file and restarting docker but it doesn't do anything.

The systemd unit installed by the Docker corp package hardcodes the command line used to start the docker daemon:
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
[...]
There is no support for reading a file from /etc/sysconfig or elsewhere to modify the command line. Fortunately, systemd gives us the tools we need to change this behavior.
The simplest solution is probably to create the file /etc/systemd/system/docker.service.d/docker-external.conf (the exact filename doesn't matter; it just needs to end with .conf) with the following contents:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
And then:
systemctl daemon-reload
systemctl restart docker
This is actually documented on the Docker website in this document, which includes instructions for a more flexible solution that will allow you to use files in /etc/sysconfig to control the daemon.

Yes, you can do the configuration thing. But how about a docker solution to a docker problem?
docker run -d \
--name sherpa \
-v /var/run/docker.sock:/tmp/docker.sock \
-p 2375:4550 \
djenriquez/sherpa --allow
Proxies access to the socket through port 2375 on localhost.

1、edit /usr/lib/systemd/system/docker.service to add two params in the service section:
# vim /usr/lib/systemd/system/docker.service
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
2、reload the configuration, and then restart docker。
# systemctl daemon-reload
# systemctl restart docker
3、to check for success, see if the return the following response。
# ps -ef|grep docker
root 26208 1 0 23:51 ? 00:00:00 /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
reference from Expose the Docker Remote API on Centos 7?

Docker: user namespace remapping not working although enabled for daemon

Processes in docker containers are still running under the "host's" UID although I have enabled user namespace remapping.
OS is: Ubuntu 16.04 on 4.4.0-21 with
> sudo docker --version
Docker version 1.12.0, build 8eab29e
dockerd configuration is
> grep "DOCKER_OPTS" /etc/default/docker
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --userns-remap=default"
subordinate UID and GID mappings have been created, when I had run manually, i.e., with the above docker opts string
> grep "dock" /etc/sub*
/etc/subgid:dockremap:362144:65536
/etc/subuid:dockremap:362144:65536
However, the sub UID/GIDs got not created when I (re)started dockerd as service - but had to run it manually.
Also after restarting dockerd, all processes in containers are not in the remapped range but 1to1 that of the host, i.e., a container root process still has UID=0.
E.g., a test container running just top
> sudo docker run -t -i ubuntu /usr/bin/top
...
has top run by UID=0 when checked outside the container on the host
> ps -xaf --forest -o pid,ruid,ruser,cmd | grep top
PID RUID RUSER CMD
23015 0 root | \_ sudo docker run -t -i ubuntu /usr/bin/top
23016 0 root | \_ docker run -t -i ubuntu /usr/bin/top
Apparently, the remapping to subordinate UIDs is not working for me when running docker as a daemon?

/etc/default/docker is not used when running the dockerd via systemd.
Thus any changes I did on the docker-config (after the dist-upgrade I had applied before) where not applied.
For configuring the docker daemon with Systemd see the documantation at
https://docs.docker.com/engine/admin/systemd/
with the configuration drop-in file(s) going to
/etc/systemd/system/docker.service.d

Can not pull docker image

I want to pull ubuntu image , but there is some errors shown
wangyaos-MBP-3:test wangyao$ sudo docker pull dl.dockerpool.com:5000/ubuntu:12.04
Post http:///var/run/docker.sock/v1.19/images/create?fromImage=dl.dockerpool.com%3A5000%2Fubuntu%3A12.04: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
but i can pull it in using $docker run ubuntu:14.04 grep -v '^#' /etc/apt/sources.list, it' too slowly.
How could I do to make it work ?

So your docker daemon is running with TLS and you are trying to connect without TLS(certificates). To check follow steps:-
boot2docker ssh - It will ssh to vm where docker daemon is running
ps -eaf | grep docker - check docker running with TLS and certificates.
You have 2 options -
Export DOCKER_CERT_PATH and DOCKER_TLS_VERIFY using $(boot2docker shellinit)
Or Start docker daemon without TLS.
Option 1
Run command $(boot2docker shellinit), it will set DOCKER_CERT_PATH and DOCKER_TLS_VERIFY for you and you will be able to run command.
Option 2
Follow steps -
boot2docker ssh
ps -eaf | grep docker - Get the PID of docker daemon running
sudo kill -9
docker -d -H unix:// -H tcp://0.0.0.0:2375 --insecure-registry dl.dockerpool.com:5000 &
exit from vm
export DOCKER_CERT_PATH=""
export DOCKER_TLS_VERIFY=""
export DOCKER_HOST=tcp://127.0.0.1:2375
Try to run docker pull command. It should work.
To summarize, if your docker daemon is running with TLS, you have to set certificate path and enable TLS. If your docker daemon is running without certificate then you will have to unset certificate and TLS(if set).